sinapse-ai 7.6.0 → 7.7.1

package/.claude/hooks/secret-scanning.cjs

@@ -0,0 +1,155 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Hook: Secret Scanning
+ *
+ * RULE: Detect and block potential secrets/credentials from being written to files.
+ *
+ * Protocol (Claude Code PreToolUse):
+ *   exit 0  → allow
+ *   exit 2  → block (message shown to model via stderr)
+ *
+ * Fail-open: if parsing fails, allow.
+ *
+ * @module secret-scanning
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+// ---------------------------------------------------------------------------
+// Secret Patterns — ordered by severity
+// ---------------------------------------------------------------------------
+
+const SECRET_PATTERNS = [
+  // API Keys & Tokens
+  { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/ },
+  { name: 'AWS Secret Key', pattern: /(?:aws_secret_access_key|secret_key)\s*[=:]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/i },
+  { name: 'GitHub Token', pattern: /gh[ps]_[A-Za-z0-9_]{36,}/ },
+  { name: 'GitHub OAuth', pattern: /gho_[A-Za-z0-9_]{36,}/ },
+  { name: 'Slack Token', pattern: /xox[bpors]-[0-9]{10,}-[A-Za-z0-9-]+/ },
+  { name: 'Stripe Key', pattern: /[sr]k_(live|test)_[A-Za-z0-9]{20,}/ },
+  { name: 'OpenAI Key', pattern: /sk-[A-Za-z0-9]{20,}/ },
+  { name: 'Anthropic Key', pattern: /sk-ant-[A-Za-z0-9-]{20,}/ },
+  { name: 'Supabase Key', pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]{50,}/ },
+  { name: 'Google API Key', pattern: /AIza[0-9A-Za-z_-]{35}/ },
+  { name: 'Vercel Token', pattern: /vercel_[A-Za-z0-9]{20,}/ },
+
+  // Private Keys
+  { name: 'RSA Private Key', pattern: /-----BEGIN RSA PRIVATE KEY-----/ },
+  { name: 'SSH Private Key', pattern: /-----BEGIN OPENSSH PRIVATE KEY-----/ },
+  { name: 'PGP Private Key', pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----/ },
+  { name: 'EC Private Key', pattern: /-----BEGIN EC PRIVATE KEY-----/ },
+
+  // Connection Strings
+  { name: 'DB Connection String', pattern: /(?:postgres|mysql|mongodb|redis):\/\/[^:]+:[^@]+@[^/\s]+/i },
+  { name: 'Supabase DB URL', pattern: /postgresql:\/\/postgres\.[A-Za-z0-9]+:[^@]+@/i },
+
+  // Generic Patterns (broader, lower confidence)
+  { name: 'Hardcoded Password', pattern: /(?:password|passwd|pwd)\s*[=:]\s*['"][^'"]{8,}['"]/i },
+  { name: 'Bearer Token', pattern: /[Bb]earer\s+[A-Za-z0-9_\-.]{20,}/ },
+  { name: 'Basic Auth', pattern: /[Bb]asic\s+[A-Za-z0-9+/=]{20,}/ },
+];
+
+/** Files that are expected to contain secret-like patterns */
+const EXEMPT_PATHS = [
+  '.env.example', '.env.template', '.env.sample',
+  'node_modules/', '.git/',
+  '.claude/hooks/',       // Hook scripts may reference patterns
+  'test/', 'tests/', '__tests__/',
+  '.sinapse-ai/core/',    // Framework core may have validators
+];
+
+/** File extensions to scan */
+const SCANNABLE_EXTENSIONS = [
+  '.ts', '.tsx', '.js', '.jsx', '.cjs', '.mjs',
+  '.json', '.yaml', '.yml', '.toml',
+  '.env', '.sh', '.bash', '.py',
+  '.md', '.txt', '.cfg', '.conf', '.ini',
+];
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function projectRoot() {
+  return process.env.CLAUDE_PROJECT_DIR || process.cwd();
+}
+
+function relativize(filePath, root) {
+  const normalized = filePath.replace(/\\/g, '/');
+  const normalizedRoot = root.replace(/\\/g, '/');
+  if (normalized.startsWith(normalizedRoot)) {
+    return normalized.slice(normalizedRoot.length).replace(/^\/+/, '');
+  }
+  return normalized;
+}
+
+function isExempt(rel) {
+  return EXEMPT_PATHS.some((ep) => rel.includes(ep));
+}
+
+function isScannable(rel) {
+  return SCANNABLE_EXTENSIONS.some((ext) => rel.endsWith(ext));
+}
+
+function scanForSecrets(content) {
+  const findings = [];
+  for (const { name, pattern } of SECRET_PATTERNS) {
+    if (pattern.test(content)) {
+      findings.push(name);
+    }
+  }
+  return findings;
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+function main() {
+  let input;
+  try {
+    input = JSON.parse(fs.readFileSync(0, 'utf8'));
+  } catch {
+    process.exit(0); // fail-open
+  }
+
+  const toolName = input.tool_name || '';
+  if (toolName !== 'Write' && toolName !== 'Edit') {
+    process.exit(0);
+  }
+
+  const toolInput = input.tool_input || {};
+  const filePath = toolInput.file_path || '';
+  if (!filePath) process.exit(0);
+
+  const root = projectRoot();
+  const rel = relativize(filePath, root);
+
+  if (isExempt(rel)) process.exit(0);
+  if (!isScannable(rel)) process.exit(0);
+
+  // Scan content being written
+  const content = toolInput.content || toolInput.new_string || '';
+  if (!content) process.exit(0);
+
+  const findings = scanForSecrets(content);
+  if (findings.length === 0) process.exit(0);
+
+  // BLOCK
+  process.stderr.write(
+    `\nSECRET SCANNING BLOCK: Potential secrets detected!\n` +
+    `File: ${rel}\n` +
+    `Found: ${findings.join(', ')}\n` +
+    `\n` +
+    `DO NOT commit secrets to code. Instead:\n` +
+    `  - Use environment variables (.env) for local dev\n` +
+    `  - Use .env.example with placeholder values for templates\n` +
+    `  - Use secret managers for production (Supabase Vault, etc.)\n`,
+  );
+  process.exit(2);
+}
+
+main();

package/.claude/rules/cross-squad-routing.md

@@ -0,0 +1,47 @@
+# Cross-Squad Routing Rules
+
+> Applies to Imperator (sinapse-orqx) and ALL squad orchestrators (*-orqx).
+
+## Single-Squad Requests
+
+When a request maps cleanly to one domain, route directly:
+
+```
+"Crie um headline" → @copy-orqx → @headline-specialist
+"Audite a marca" → @brand-orqx → @brand-auditor
+"Otimize SEO" → @growth-orqx → @seo-specialist
+```
+
+## Multi-Squad Patterns
+
+For requests spanning multiple domains, use established patterns:
+
+| Pattern | Squads | Trigger |
+|---------|--------|---------|
+| `brand_launch` | brand + design + content + copy + animations | New brand from scratch |
+| `go_to_market` | product + commercial + content + paidmedia + growth | Launch product/service |
+| `strategic_pivot` | council + research + finance + product | Major direction change |
+| `full_digital_presence` | brand + design + content + animations + growth + paidmedia | Complete digital setup |
+| `security_compliance_audit` | cybersecurity + research | Security assessment |
+| `content_campaign` | content + copy + growth + paidmedia | Multi-channel campaign |
+| `course_launch` | courses + content + copy + commercial | Course/workshop launch |
+
+## Routing Priority
+
+1. **Exact match** — Request clearly belongs to one squad
+2. **Pattern match** — Request matches a known multi-squad pattern
+3. **Diagnostic** — Unclear request → Imperator diagnoses before routing
+
+## Handoff Between Squads
+
+When work flows from one squad to another:
+1. Outgoing squad writes deliverables to `docs/` or project files
+2. Outgoing orchestrator generates handoff artifact
+3. Incoming orchestrator receives artifact + reads deliverables
+4. Incoming orchestrator routes to appropriate specialist
+
+## Anti-Patterns
+
+- Never have two squads working on the same file simultaneously
+- Never skip the orchestrator (user → specialist directly) for multi-squad work
+- Never route to a squad without providing context from the previous squad

package/.claude/rules/hook-governance.md

@@ -0,0 +1,61 @@
+# Hook Governance Rules
+
+> Applies to ALL agents. Hooks are the enforcement layer of the Constitution.
+
+## Active Hook Registry
+
+### PreToolUse — Bash
+| Hook | Purpose | Behavior |
+|------|---------|----------|
+| `enforce-git-push-authority.sh` | Art. II — Only @devops can push | BLOCK (deny) |
+| `sql-governance.py` | Security — Block dangerous SQL | BLOCK (exit 2) |
+| `enforce-delegation.cjs` | Art. VIII — Orchestrators can't execute | BLOCK (exit 2) |
+
+### PreToolUse — Write|Edit
+| Hook | Purpose | Behavior |
+|------|---------|----------|
+| `enforce-architecture-first.cjs` | Art. III — Docs before protected code | BLOCK (exit 2) |
+| `write-path-validation.cjs` | Convention — Warn wrong doc paths | WARN (exit 0) |
+| `enforce-story-gate.cjs` | Art. III — Story required for code | BLOCK (exit 2) |
+| `slug-validation.py` | Convention — Validate naming | WARN (exit 0) |
+| `mind-clone-governance.py` | Cloning — DNA required | BLOCK (exit 2) |
+| `enforce-delegation.cjs` | Art. VIII — Orchestrators can't execute | BLOCK (exit 2) |
+
+### PreToolUse — Read
+| Hook | Purpose | Behavior |
+|------|---------|----------|
+| `read-protection.py` | Security — Control sensitive file access | WARN (exit 0) |
+
+### UserPromptSubmit
+| Hook | Purpose | Behavior |
+|------|---------|----------|
+| `synapse-wrapper.cjs` | SYNAPSE context injection | ALLOW (exit 0) |
+
+### PreCompact
+| Hook | Purpose | Behavior |
+|------|---------|----------|
+| `precompact-wrapper.cjs` | Session digest before compaction | ALLOW (exit 0) |
+
+## Hook Design Principles
+
+1. **Fail-open** — If a hook crashes or can't parse input, exit 0 (allow)
+2. **Fast** — Each hook must complete in < 5 seconds
+3. **Silent on success** — Only output on block or warning
+4. **Deterministic** — Same input always produces same output
+5. **No side effects** — Hooks read state but don't modify it
+
+## Adding New Hooks
+
+1. Create script in `.claude/hooks/` (prefer CJS for portability)
+2. Add entry to `.claude/settings.json` under appropriate event
+3. Document in this file (hook-governance.md)
+4. Test with mock JSON via stdin
+5. Verify fail-open behavior with invalid input
+
+## Exit Code Protocol
+
+| Code | Meaning | Effect |
+|------|---------|--------|
+| 0 | Allow | Operation proceeds |
+| 2 | Block | Operation denied, message shown to model |
+| Other | Ignored | Operation proceeds (treated as 0) |

package/.claude/rules/security-scanning.md

@@ -0,0 +1,42 @@
+# Security Scanning Rules
+
+> Applies to ALL agents writing code or configuration files.
+
+## Secret Detection
+
+NEVER commit files containing:
+- API keys, tokens, or passwords in plaintext
+- `.env` files with real values (use `.env.example` with placeholders)
+- OAuth credentials (`access_token`, `refresh_token`, `client_secret`)
+- Private keys (RSA, SSH, PGP)
+- Database connection strings with credentials
+- Webhook URLs with embedded tokens
+
+## Path Traversal Prevention
+
+When handling file paths from user input or external sources:
+- Reject paths containing `..` segments
+- Reject absolute paths outside project root
+- Normalize paths before validation (`path.resolve()` then check prefix)
+- Never construct paths with string concatenation from untrusted input
+
+## SQL Injection Prevention
+
+- Always use parameterized queries — never string interpolation
+- Supabase RPC functions must use `$1, $2` parameter placeholders
+- Edge functions must validate and sanitize all query parameters
+- `sql-governance.py` hook blocks dangerous SQL patterns automatically
+
+## Dependency Security
+
+- Review new dependencies before adding (`npm audit`)
+- Prefer well-maintained packages (>1K weekly downloads, recent updates)
+- Pin exact versions in production dependencies
+- Never install packages with known critical vulnerabilities
+
+## Hooks Enforcement
+
+Active security hooks in `.claude/settings.json`:
+- `sql-governance.py` — blocks dangerous SQL in Bash commands
+- `read-protection.py` — controls access to sensitive config files
+- `enforce-architecture-first.cjs` — requires docs before protected code paths

package/.sinapse-ai/cli/commands/health/index.js

@@ -0,0 +1,237 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * sinapse health — Framework Health Analytics
+ *
+ * Analyzes the health of a SINAPSE installation:
+ * - Hook connectivity (wired vs orphaned)
+ * - Squad completeness (metadata, preferences, KBs)
+ * - Rule coverage
+ * - Agent authority compliance
+ * - Skill activation coverage
+ *
+ * Usage:
+ *   sinapse health              # Full health report
+ *   sinapse health --json       # JSON output
+ *   sinapse health --fix        # Auto-fix common issues
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+function findProjectRoot() {
+  let dir = process.cwd();
+  while (dir !== path.dirname(dir)) {
+    if (fs.existsSync(path.join(dir, '.sinapse-ai'))) return dir;
+    dir = path.dirname(dir);
+  }
+  return process.cwd();
+}
+
+function checkHooks(root) {
+  const results = { score: 0, max: 0, issues: [] };
+  const settingsPath = path.join(root, '.claude', 'settings.json');
+
+  results.max += 3;
+  if (!fs.existsSync(settingsPath)) {
+    results.issues.push({ severity: 'critical', msg: '.claude/settings.json not found' });
+    return results;
+  }
+
+  const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+  const hooks = settings.hooks || {};
+
+  // Check PreToolUse exists
+  if (hooks.PreToolUse && hooks.PreToolUse.length > 0) {
+    results.score += 1;
+  } else {
+    results.issues.push({ severity: 'high', msg: 'No PreToolUse hooks configured' });
+  }
+
+  // Check UserPromptSubmit exists
+  if (hooks.UserPromptSubmit && hooks.UserPromptSubmit.length > 0) {
+    results.score += 1;
+  } else {
+    results.issues.push({ severity: 'medium', msg: 'No UserPromptSubmit hooks configured' });
+  }
+
+  // Count total connected hooks
+  let connected = 0;
+  Object.values(hooks).forEach((matchers) =>
+    matchers.forEach((m) => (m.hooks || []).forEach(() => connected++)),
+  );
+
+  // Check hook files exist
+  const hooksDir = path.join(root, '.claude', 'hooks');
+  if (fs.existsSync(hooksDir)) {
+    const hookFiles = fs.readdirSync(hooksDir).filter((f) => f.endsWith('.cjs') || f.endsWith('.sh') || f.endsWith('.py'));
+    const orphaned = hookFiles.length - connected;
+    if (orphaned <= 5) results.score += 1; // Some orphaned is OK (utilities, legacy)
+    else results.issues.push({ severity: 'low', msg: `${orphaned} hook files not connected to settings.json` });
+  }
+
+  results.connected = connected;
+  return results;
+}
+
+function checkSquads(root) {
+  const results = { score: 0, max: 0, issues: [], squads: [] };
+  const squadsDir = path.join(root, 'squads');
+
+  if (!fs.existsSync(squadsDir)) {
+    results.issues.push({ severity: 'medium', msg: 'squads/ directory not found' });
+    return results;
+  }
+
+  const squadDirs = fs.readdirSync(squadsDir).filter((d) => d.startsWith('squad-') && fs.statSync(path.join(squadsDir, d)).isDirectory());
+
+  for (const squad of squadDirs) {
+    const dir = path.join(squadsDir, squad);
+    const checks = { name: squad, metadata: false, preferences: false, agents: 0, tasks: 0 };
+    results.max += 2;
+
+    // Check metadata
+    const yamlPath = path.join(dir, 'squad.yaml');
+    if (fs.existsSync(yamlPath)) {
+      const content = fs.readFileSync(yamlPath, 'utf8');
+      checks.metadata = /agents_count|total_files/.test(content);
+      if (checks.metadata) results.score += 1;
+      else results.issues.push({ severity: 'low', msg: `${squad}: missing metadata in squad.yaml` });
+    }
+
+    // Check preferences
+    checks.preferences = fs.existsSync(path.join(dir, 'preferences'));
+    if (checks.preferences) results.score += 1;
+    else results.issues.push({ severity: 'low', msg: `${squad}: missing preferences/ directory` });
+
+    // Count assets
+    const agentsDir = path.join(dir, 'agents');
+    const tasksDir = path.join(dir, 'tasks');
+    checks.agents = fs.existsSync(agentsDir) ? fs.readdirSync(agentsDir).filter((f) => f.endsWith('.md')).length : 0;
+    checks.tasks = fs.existsSync(tasksDir) ? fs.readdirSync(tasksDir).filter((f) => f.endsWith('.md')).length : 0;
+
+    results.squads.push(checks);
+  }
+
+  return results;
+}
+
+function checkRules(root) {
+  const results = { score: 0, max: 1, issues: [] };
+  const rulesDir = path.join(root, '.claude', 'rules');
+
+  if (!fs.existsSync(rulesDir)) {
+    results.issues.push({ severity: 'high', msg: '.claude/rules/ not found' });
+    return results;
+  }
+
+  const rules = fs.readdirSync(rulesDir).filter((f) => f.endsWith('.md'));
+  if (rules.length >= 13) results.score += 1;
+  else results.issues.push({ severity: 'medium', msg: `Only ${rules.length} rules (recommended: 16+)` });
+
+  results.count = rules.length;
+  return results;
+}
+
+function checkSkills(root) {
+  const results = { score: 0, max: 1, issues: [] };
+  const skillsDir = path.join(root, '.claude', 'skills');
+
+  if (!fs.existsSync(skillsDir)) {
+    results.issues.push({ severity: 'medium', msg: '.claude/skills/ not found' });
+    return results;
+  }
+
+  const skills = fs.readdirSync(skillsDir).filter((f) => f.endsWith('.md') || fs.statSync(path.join(skillsDir, f)).isDirectory());
+  // Check for path-activated skills
+  let pathActivated = 0;
+  for (const skill of skills) {
+    const skillPath = path.join(skillsDir, skill);
+    if (fs.statSync(skillPath).isFile()) {
+      const content = fs.readFileSync(skillPath, 'utf8');
+      if (/^paths:/m.test(content)) pathActivated++;
+    }
+  }
+
+  if (pathActivated >= 3) results.score += 1;
+  else results.issues.push({ severity: 'low', msg: `Only ${pathActivated} path-activated skills (recommended: 5+)` });
+
+  results.total = skills.length;
+  results.pathActivated = pathActivated;
+  return results;
+}
+
+async function runHealth(options = {}) {
+  const root = findProjectRoot();
+  const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));
+
+  const hookResults = checkHooks(root);
+  const squadResults = checkSquads(root);
+  const ruleResults = checkRules(root);
+  const skillResults = checkSkills(root);
+
+  const totalScore = hookResults.score + squadResults.score + ruleResults.score + skillResults.score;
+  const totalMax = hookResults.max + squadResults.max + ruleResults.max + skillResults.max;
+  const percentage = Math.round((totalScore / totalMax) * 100);
+
+  const allIssues = [
+    ...hookResults.issues,
+    ...squadResults.issues,
+    ...ruleResults.issues,
+    ...skillResults.issues,
+  ];
+
+  if (options.json) {
+    console.log(JSON.stringify({
+      version: pkg.version,
+      health: percentage,
+      score: `${totalScore}/${totalMax}`,
+      hooks: { connected: hookResults.connected, score: `${hookResults.score}/${hookResults.max}` },
+      squads: { count: squadResults.squads.length, score: `${squadResults.score}/${squadResults.max}` },
+      rules: { count: ruleResults.count, score: `${ruleResults.score}/${ruleResults.max}` },
+      skills: { total: skillResults.total, pathActivated: skillResults.pathActivated, score: `${skillResults.score}/${skillResults.max}` },
+      issues: allIssues,
+    }, null, 2));
+    return;
+  }
+
+  // Pretty output
+  const bar = (score, max) => {
+    const filled = Math.round((score / max) * 10);
+    return '█'.repeat(filled) + '░'.repeat(10 - filled);
+  };
+
+  console.log(`\n  SINAPSE Health Report — v${pkg.version}`);
+  console.log(`  ${'═'.repeat(50)}\n`);
+  console.log(`  Overall Health: ${percentage}% ${bar(totalScore, totalMax)} (${totalScore}/${totalMax})\n`);
+  console.log(`  Hooks:   ${bar(hookResults.score, hookResults.max)} ${hookResults.connected || 0} connected`);
+  console.log(`  Squads:  ${bar(squadResults.score, squadResults.max)} ${squadResults.squads.length} squads`);
+  console.log(`  Rules:   ${bar(ruleResults.score, ruleResults.max)} ${ruleResults.count || 0} rules`);
+  console.log(`  Skills:  ${bar(skillResults.score, skillResults.max)} ${skillResults.pathActivated || 0} path-activated\n`);
+
+  if (allIssues.length > 0) {
+    console.log(`  Issues (${allIssues.length}):`);
+    for (const issue of allIssues.slice(0, 10)) {
+      const icon = issue.severity === 'critical' ? '🔴' : issue.severity === 'high' ? '🟠' : issue.severity === 'medium' ? '🟡' : '🔵';
+      console.log(`    ${icon} ${issue.msg}`);
+    }
+    if (allIssues.length > 10) console.log(`    ... and ${allIssues.length - 10} more`);
+    console.log('');
+  } else {
+    console.log('  ✅ No issues found!\n');
+  }
+}
+
+module.exports = { runHealth };
+
+if (require.main === module) {
+  const args = process.argv.slice(2);
+  runHealth({
+    json: args.includes('--json'),
+    fix: args.includes('--fix'),
+  }).catch((err) => {
+    console.error(`Error: ${err.message}`);
+    process.exit(1);
+  });
+}